helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon timescale

Cannot specify securityContext container attribute

Open franck102 opened this issue 4 years ago • 1 comments

This is an improvement request

Describe the bug The timescaledb-single chart won't let you configure a securityContext container attribute. This is required in Kubernetes clusters that use pod security policies (else the container start as root and postgres refuses to start):

containers:
        - name: timescaledb
          securityContext:
            allowPrivilegeEscalation: false
            runAsGroup: 1000
            runAsNonRoot: true
            runAsUser: 1000

We have to create a local copy of the chart to work around this issue.

franck102 avatar Nov 06 '20 15:11 franck102

The Single Helm Chart defaults to the default securityContext, which:

Defaults to user specified in image metadata if unspecified.

https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core

Which is postgres for this image.

docker inspect timescaledev/timescaledb-ha:pg12.5-ts2.0.0-p0 | jq '.[0].Config.User' -r
postgres

However, it may be good to explicitly configure this setup. See #252

feikesteenbergen avatar Jan 12 '21 12:01 feikesteenbergen